Cybersecurity researchers have confirmed that a massive trove of login credentials tied to Gmail, Instagram, Netflix, and dozens of other everyday platforms was left openly accessible on the internet, without encryption or authentication. The discovery was made by cybersecurity researcher Jeremiah Fowler, working in collaboration with ExpressVPN, who identified a misconfigured cloud database that anyone could access with nothing more than a browser.
According to ExpressVPN’s analysis, the database contained 149,404,754 unique login records, weighing in at roughly 96GB of raw data. These were not abstract datasets or anonymized samples. The exposed information included email addresses, usernames, passwords, and direct login URLs associated with popular services used daily by millions of people.
Sampling of the data revealed credentials linked to email providers, social media platforms, streaming services, gaming accounts, dating apps, financial services, crypto platforms, and even online banking portals.
Breakdown of Email Providers (estimated)
Other notable accounts included:
Investigators believe the credentials were harvested using infostealer malware, a class of malicious software designed to quietly infect devices and extract saved browser passwords, keystrokes, cookies, and session tokens without alerting the user. Once stolen, that data is typically uploaded to remote servers for resale or reuse. In this case, researchers say the cloud database storing the information was left publicly exposed and continued growing while unsecured, suggesting new victims were being added in real time.
Security analysts warn that datasets of this scale dramatically increase the risk of account takeovers, financial fraud, identity theft, and highly convincing phishing campaigns. Because many users reuse passwords across services, a single exposed login can cascade into multiple compromised accounts. Email accounts are especially critical, as control over email often enables password resets for banking, social media, and workplace systems.
Importantly, there is no indication that Gmail, Instagram, Netflix, or other named platforms suffered a fresh breach of their internal systems. Instead, this appears to be a large-scale aggregation of credentials stolen directly from user devices over time and consolidated into one database. That distinction matters technically, but the risk to users remains the same.
From a privacy standpoint, the leak of email addresses and account connections can give criminals the tools they need to create detailed profiles of individuals. By knowing where someone has accounts, what services they use, and possibly their personal or professional ties, the chances of successful social engineering or phishing attacks could rise significantly. Many people store sensitive documents and conversations in their email history, often without realizing the potential risks if someone were to gain unauthorized access.
A takeover of an account can lead to serious privacy concerns, depending on the type of account or service involved. Unauthorized access to images and chat histories from dating sites or adult entertainment accounts could pose risks long after the breach, including harassment or extortion attempts.